chore(deps): bump dependencies with 3 updates

[dependabot]

Bumps the github-actions group with 3 updates: astro, astro-og-canvas and vercel.

Updates astro from 6.1.7 to 6.1.8

Release notes

Sourced from astro's releases.

[email protected]

Patch Changes

• #16367 a6866a7 Thanks @​ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

• #16381 217c5b3 Thanks @​ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

• #16348 7d26cd7 Thanks @​ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

• #16317 d012bfe Thanks @​das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

• #16379 5a84551 Thanks @​martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

• #16317 d012bfe Thanks @​das-peter! - Adds tests to verify settings are properly propagated when using the development server.

• #16282 5b0fdaa Thanks @​jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

• Updated dependencies [e0b240e]:

  • @​astrojs/telemetry@​3.3.1

Changelog

Sourced from astro's changelog.

6.1.8

Patch Changes

• #16367 a6866a7 Thanks @​ematipico! - Fixes an issue where build output files could contain special characters (!, ~, {, }) in their names, causing deploy failures on platforms like Netlify.

• #16381 217c5b3 Thanks @​ematipico! - Slightly improved the performance of the dev server by caching the internal crawling of the dependencies of a project.

• #16348 7d26cd7 Thanks @​ocavue! - Fixes a bug where emitted assets during a client build would contain always fresh, new hashes in their name. Now the build should be more stable.

• #16317 d012bfe Thanks @​das-peter! - Fixes a bug where allowedDomains weren't correctly propagated when using the development server.

• #16379 5a84551 Thanks @​martrapp! - Improves Vue scoped style handling in DEV mode during client router navigation.

• #16317 d012bfe Thanks @​das-peter! - Adds tests to verify settings are properly propagated when using the development server.

• #16282 5b0fdaa Thanks @​jmurty! - Fixes build errors on platforms with skew protection enabled (e.g. Vercel, Netlify) for inter-chunk Javascript using dynamic imports

• Updated dependencies [e0b240e]:

  • @​astrojs/telemetry@​3.3.1

Commits

• 63c5c85 [ci] release (#16356)
• 71c93ca [ci] format
• 5a84551 Improves Vue scoped style handling in DEV mode during client router navigatio...
• ba2dbf1 refactor(astro): correct Fixture type signatures in test-utils (#16380)
• 217c5b3 perf(core): cache crawl result (#16381)
• 6e5bc17 chore: absorb tests into others (#16365)
• dc8a01d chore: reduce fixtures by merging them (#16364)
• bb0ff91 refactor(astro): migrate error tests to typescript (#16377)
• a6866a7 fix(core): clean chunk name (#16367)
• 811015d chore: remove lone fixtures (#16363)
• Additional commits viewable in compare view

Updates astro-og-canvas from 0.11.0 to 0.11.1

Release notes

Sourced from astro-og-canvas's releases.

[email protected]

Patch Changes

• #163 390fdea Thanks @​renovate! - Updates dependency canvaskit-wasm to ^0.41.1

Changelog

Sourced from astro-og-canvas's changelog.

0.11.1

Patch Changes

• #163 390fdea Thanks @​renovate! - Updates dependency canvaskit-wasm to ^0.41.1

Commits

• 574c03c Version Packages (#165)
• 867ea9d Update dependency typescript to v6 (#158)
• 390fdea Update dependency canvaskit-wasm to ^0.41.1 (#163)
• 705ec9b Update dependency astro to ^6.1.5 (#162)
• See full diff in compare view

Updates vercel from 51.6.1 to 51.8.0

Release notes

Sourced from vercel's releases.

[email protected]

Minor Changes

• vercel env add now defaults Environment Variables to sensitive on Production and Preview. Sensitive values are encrypted at rest and cannot be retrieved later via the dashboard or CLI; they are still resolved for builds, deployments, vercel env pull, and runtime. (#16041)

  Behavior per target:

  • Production or Preview: defaults to sensitive. Pass --no-sensitive to opt back in to the previous encrypted behavior (value remains readable later).
  • Development: always stored as encrypted (sensitive is not supported by the Vercel API for Development). Passing --sensitive alongside a Development target now errors up-front instead of silently falling back.
  • Mixed selection (e.g., interactive checkbox picks production + preview + development): errors and asks you to run vercel env add separately for Development, because Development cannot share a record type with Production/Preview.

  Flag summary:

  • --sensitive: unchanged in meaning (request a sensitive variable); now errors when combined with Development.
  • --no-sensitive: new; opt out of the new default for Production/Preview.
  • --sensitive --no-sensitive together: errors.

  On teams that enable the "Enforce Sensitive Environment Variables" policy in team settings, the CLI now reads the policy from the team object and notes in the output that the policy is active; the server already promotes Production/Preview variables to sensitive silently, and the CLI's own logs are now honest about it. Passing --no-sensitive on a policy-on team for Production/Preview now emits a warning — the flag is a no-op because the server promotes the variable regardless — and the CLI sends type: 'sensitive' so its own --debug output matches what gets stored.

Patch Changes

• Updated dependencies [c1866cf1add2107f91cae8292e38e4854bfe0aca]:
  • @​vercel/build-utils@​13.19.1
  • @​vercel/backends@​0.1.2
  • @​vercel/elysia@​0.1.70
  • @​vercel/express@​0.1.80
  • @​vercel/fastify@​0.1.73
  • @​vercel/go@​3.5.0
  • @​vercel/h3@​0.1.79
  • @​vercel/hono@​0.2.73
  • @​vercel/hydrogen@​1.3.6
  • @​vercel/koa@​0.1.53
  • @​vercel/nestjs@​0.2.74
  • @​vercel/next@​4.16.8
  • @​vercel/node@​5.7.12
  • @​vercel/python@​6.35.0
  • @​vercel/redwood@​2.4.12
  • @​vercel/remix-builder@​5.7.2
  • @​vercel/ruby@​2.3.2
  • @​vercel/rust@​1.1.1
  • @​vercel/static-build@​2.9.20

[email protected]

Minor Changes

• [detect-services] If a vercel.toml exists, update the vercel.toml (#15895)

• Use correct filename in messages when config file is not vercel.json (#15893)

• [services] move Python workers to v2beta triggers with private routing (#15920)

... (truncated)

Changelog

Sourced from vercel's changelog.

51.8.0

Minor Changes

• vercel env add now defaults Environment Variables to sensitive on Production and Preview. Sensitive values are encrypted at rest and cannot be retrieved later via the dashboard or CLI; they are still resolved for builds, deployments, vercel env pull, and runtime. (#16041)

  Behavior per target:

  • Production or Preview: defaults to sensitive. Pass --no-sensitive to opt back in to the previous encrypted behavior (value remains readable later).
  • Development: always stored as encrypted (sensitive is not supported by the Vercel API for Development). Passing --sensitive alongside a Development target now errors up-front instead of silently falling back.
  • Mixed selection (e.g., interactive checkbox picks production + preview + development): errors and asks you to run vercel env add separately for Development, because Development cannot share a record type with Production/Preview.

  Flag summary:

  • --sensitive: unchanged in meaning (request a sensitive variable); now errors when combined with Development.
  • --no-sensitive: new; opt out of the new default for Production/Preview.
  • --sensitive --no-sensitive together: errors.

  On teams that enable the "Enforce Sensitive Environment Variables" policy in team settings, the CLI now reads the policy from the team object and notes in the output that the policy is active; the server already promotes Production/Preview variables to sensitive silently, and the CLI's own logs are now honest about it. Passing --no-sensitive on a policy-on team for Production/Preview now emits a warning — the flag is a no-op because the server promotes the variable regardless — and the CLI sends type: 'sensitive' so its own --debug output matches what gets stored.

Patch Changes

• Updated dependencies [c1866cf1add2107f91cae8292e38e4854bfe0aca]:
  • @​vercel/build-utils@​13.19.1
  • @​vercel/backends@​0.1.2
  • @​vercel/elysia@​0.1.70
  • @​vercel/express@​0.1.80
  • @​vercel/fastify@​0.1.73
  • @​vercel/go@​3.5.0
  • @​vercel/h3@​0.1.79
  • @​vercel/hono@​0.2.73
  • @​vercel/hydrogen@​1.3.6
  • @​vercel/koa@​0.1.53
  • @​vercel/nestjs@​0.2.74
  • @​vercel/next@​4.16.8
  • @​vercel/node@​5.7.12
  • @​vercel/python@​6.35.0
  • @​vercel/redwood@​2.4.12
  • @​vercel/remix-builder@​5.7.2
  • @​vercel/ruby@​2.3.2
  • @​vercel/rust@​1.1.1
  • @​vercel/static-build@​2.9.20

51.7.0

Minor Changes

• [detect-services] If a vercel.toml exists, update the vercel.toml (#15895)

• Use correct filename in messages when config file is not vercel.json (#15893)

... (truncated)

Commits

• 670553a Version Packages (#16046)
• 193c515 feat(cli): env add sensitive by default for Production and Preview (#16041)
• 5df9328 Version Packages (#16024)
• 3c17e8b Use correct filename in messages when config file is not vercel.json (#15893)
• 0dcf4a9 [detect-services] If a vercel.toml exists, update the vercel.toml (#15895)
• 0793b7d [services] move Python workers to v2beta triggers with private routing (#15920)
• 3431dae feat(cli): use POST for connex create with browser registration fallback (#16...
• aef5dc9 fix: firewall CLI bug bash fixes (#15985)
• 665c350 [CLI] Bubble up action + resource from 403 errors to agent output (#15940)
• 4a164c6 feat(cli): add table formatting for OpenAPI responses (#16011)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vercel since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openresource-dev	Ready	Preview, Comment	Apr 20, 2026 7:47am